The purpose of this blog is to hopefully inform and educate people about legal issues in technology, intellectual property, the Internet, and other areas of the law.  So I therefore try to avoid being political, but sometimes it’s hard to do.  And it’s really hard to do when the Republican brand—and isn’t it really all about branding these days?—has drifted so far from its roots that I would be remiss in not mentioning it.

There was a time, before September 11th at least, that Republicans—and the newly minted Tea Party—were for the concept of small and less intrusive government.  I’m all for that for reasons too numerous to mention here.  But I’m especially for it in areas of privacy, particularly on the Internet where personal data about people flows like water.  But alas, so much has changed in the world that up is down, small is big, and privacy now means data retention.

So to say I was disappointed when I read that the Republicans’ first major technology initiative in the House of Representatives was to introduce a bill to require Internet companies to keep track and store user data, would be an understatement.  The new bill, if it becomes law, would require ISPs and other Internet companies to store the Internet Protocol (“IP”) addresses and other records of users’ online activities for 2 years.  This goes far beyond what the Electronic Communication Transactional Records Act (“ECTRA”) passed in 1996 requires, which is for ISPs to retain any “record” for up to 180 days (in two 90 day increments) upon request by a “governmental entity.”  So where’s the smaller and less intrusive government we were promised?

The biggest backers of the bill are—no surprise here—law enforcement and prosecutors.  Of course they want the ability to fully investigate crimes on the Internet.  Who could realistically be against going after pedophiles, identity thieves, and scam artists?  But the potential for abuse by law enforcement remains a real one and a 2 year retention requirement (as opposed to companies who voluntarily save user data for a set period of time) strikes me as excessive.  Just ask these folks in Chicago who are being victimized by the police and prosecutors over the state’s absurd wiretap law.  So overreaching by law enforcement occurs in many different contexts.

As a practical common sense matter, do records on EVERYONE really need to be retained for at least 2 years?  Perhaps ECTRA has the more reasoned approach (dare I say) which requires preservation pursuant to a court order issued “only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”  18 U.S.C. § 2703(d). 

But to retain records on everyone so that the police and law enforcement can cull through them at a later time and at their leisure seems particularly ripe for all sorts of abuse.  Hopefully, the Democrat-controlled Senate will be far more thoughtful in the consideration of such sweeping legislation (assuming it gets that far).  And if they’re not, then I’ll criticize the Democrats too, who are supposed to be more concerned about the “common man.”  Well, the common man needs his privacy too.  Rumor has it that he’s got the Internet now.

Talk about a slow news day.  A recent article in USA Today discusses the so-called “fine print” in ISP contracts and then concludes that it doesn’t really matter anyway.  This non-story highlights the fact that ISP contracts, which their company lawyers draft, give ISPs rights to read their subscribers’ e-mail, block their subscribers from accessing certain websites, and can terminate their subscribers for overusage of their networks.  The horror.  Imagine that?  A business that protects itself.  The shareholders will be outraged.

As an attorney who drafts these contracts, this article is much ado about nothing.  Yes, ISPs put all sorts of language into these agreements to make sure that their services are not abused by users.  But simply because an ISP has the right to read a user’s e-mail or block a user from accessing certain sites doesn’t mean that it will actually do so.  The article makes it sound inevitable.

An ISP, like every other business in America, is keenly aware of the public relations disaster that would result if it was disclosed that they routinely read their users’ e-mails, blocked access to websites, or simply terminated their users accounts due to overusage, without good cause.  They would quickly and perhaps permanently lose users as the media and blogosphere savaged them.  And as they know all too well, everything in cyberspace lives on indefinitely. 

But think of the public relations disaster that would result if it was disclosed that an ISP was aware or suspected that a user was engaging in wide scale spamming, copyright infringement, or the downloading of child pornography.  Or that certain users were hogging bandwidth to the point that other subscribers’ service was affected, while the ISP took a laissez-faire attitude?  It’s not exactly a model of corporate responsibility in these post-Sarbanes Oxley times.  The blogosphere would again be buzzing, albeit for different reasons.  You’re damned if you do, and damned if you don’t.

Furthermore, some of these clauses are economic necessities.  The RIAA has begun targeting ISPs whose users engage in massive and sustained downloading of copyrighted music through their networks.  If an ISP suspects that a user is downloading copyrighted material and does nothing, it can be held liable for contributory copyright infringement in certain instances.  But by terminating the offending user’s account, it may insulate itself from liability.  The “fine print” of the contract allows an ISP to do so.

Is an ISP contract really that different from signing a lease with a landlord?  A landlord has the right to access your apartment with or without notice and can potentially invade your privacy.  A landlord puts certain restrictions as to how its property can be used and how many people can live in it.  And a landlord can evict you under the right circumstances.  While internet access is certainly important nowadays, so is having a place to live.  Yet many tenants have rules not unlike what their ISPs impose, but don’t assume that their landlords will exercise them indiscriminately.

So the contractual provisions such as those described in the article are not necessarily a bad thing.  It all depends upon the circumstances.  If an ISP does include a provision that a court finds to be unfair or onerous, it can be struck from the contract (to say nothing of the scrutiny the ISP would get from that state’s attorney general).  So it’s not as if an ISP can do anything it wants.  While it may sound like this is a case of “ISPs gone wild,” the simple fact is that—for the moment at least—this was an article in search of a story.  But when an ISP does overreach or overreact, I’m sure we’ll hear about it somehow.

     In yet another invasion of privacy couched in the rhetoric of “but the consumer will benefit!” comes this story from the Washington Post.  Apparently, a small but growing number of ISPs are monitoring their users’ every click and keystroke.  The ISPs then harvest the data to determine a user’s interests and preferences and provide it to advertisers who make highly targeted pitches to the user.  I can see the pitch now:  “We’ve noticed that you’ve typed in the word “hemorrhoids” 12 times, searched Google 3 times, and visited 9 sites.  Here’s a coupon to try Preparation H for free.  It will stop the itch!”

      This monitoring is known as “deep-packet inspection” and it divides every aspect of a user’s data into packets that an ISP can analyze for content.   First, as a general matter, whenever I see anything with the words “deep” and “inspection” in a title, I get somewhat concerned without even having to read any further (similar to how the FBI first named its now infamous packet-sniffing software ”Carnivore,” but later changed it to the more benign-sounding “DCS1000″).  From a more substantive perspective, however, it represents a considerable escalation of an ISP’s ability to monitor its users.  Barring any legislative or regulatory action, it won’t be long until all ISPs engage in this practice.  According to the article, only 100,000 users are affected at the moment.

     As usual, the ISPs gain their users’ consent by burying the monitoring in their lengthy customer service agreements.  According to the article, one ISP—Knology—has a 27 page agreement and only makes vague reference to the system.  Few people actually have the time and energy to read them, and those that do will not necessarily understand them anyway.  The lawyers that draft them are not exactly known for their clarity, especially when it comes to a controversial subject such as this.  In fact, according to one Knology executive, there’s no violation of privacy at all.

     The article is silent as to how long an ISP actually retains all of this information, but presumably can retain it indefinitely.  And even if it doesn’t, once the information is disclosed and sold to advertisers, copies of it could continue to reside in cyberspace even if the ISP purges its records.  The article is also silent as to how such information could easily be disclosed to law enforcement or to parties involved in civil litigation.  So the march towards “zero privacy” continues. <sigh>